Loading ...

Analysis Report 19Yrqeedx.pif

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:102805
Start date:11.01.2019
Start time:19:34:31
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 15s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:19Yrqeedx.pif (renamed file extension from pif to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal88.troj.expl.evad.winEXE@8/14@0/6
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 96.4% (good quality ratio 70.9%)
  • Quality average: 53.2%
  • Quality standard deviation: 39.1%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 74
  • Number of non-executed functions: 92
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, wermgr.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size getting too big, too many NtOpenFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold880 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExploitation for Client Execution2Winlogon Helper DLLProcess Injection11Masquerading11Input Capture1Process Discovery1Application Deployment SoftwareInput Capture1Data CompressedUncommonly Used Port1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingSecurity Software Discovery41Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection11Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information11Credentials in FilesSystem Information Discovery11Logon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user~1\AppData\Local\Temp\services.exeAvira: Label: TR/Mydoom.BB.1
Source: C:\Windows\java.exeAvira: Label: WORM/Mydoom.O.1
Source: C:\Windows\services.exeAvira: Label: TR/Mydoom.BB.1
Antivirus detection for submitted fileShow sources
Source: 19Yrqeed.exeAvira: Label: WORM/Mydoom.O.1
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user~1\AppData\Local\Temp\services.exevirustotal: Detection: 86%Perma Link
Source: C:\Users\user~1\AppData\Local\Temp\services.exemetadefender: Detection: 82%Perma Link
Source: C:\Windows\services.exevirustotal: Detection: 86%Perma Link
Source: C:\Windows\services.exemetadefender: Detection: 82%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 2.0.19Yrqeedx.exe.500000.1.unpackAvira: Label: WORM/Mydoom.MA
Source: 4.0.services.exe.400000.2.unpackAvira: Label: TR/Mydoom.BB.1
Source: 2.2.19Yrqeedx.exe.500000.0.unpackAvira: Label: TR/Spy.Agent.afe
Source: 7.2.java.exe.500000.0.unpackAvira: Label: TR/Spy.Agent.afe
Source: 4.0.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 4.2.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 4.0.services.exe.400000.1.unpackAvira: Label: TR/Mydoom.BB.1
Source: 4.0.services.exe.400000.3.unpackAvira: Label: TR/Mydoom.BB.1
Source: 8.0.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 7.1.java.exe.500000.0.unpackAvira: Label: TR/Spy.Agent.afe
Source: 8.0.services.exe.400000.1.unpackAvira: Label: TR/Mydoom.BB.1
Source: 2.0.19Yrqeedx.exe.500000.0.unpackAvira: Label: WORM/Mydoom.MA
Source: 9.1.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 9.2.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 8.0.services.exe.400000.3.unpackAvira: Label: TR/Mydoom.BB.1
Source: 4.1.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 8.2.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 7.0.java.exe.500000.0.unpackAvira: Label: WORM/Mydoom.MA
Source: 9.0.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1
Source: 8.0.services.exe.400000.2.unpackAvira: Label: TR/Mydoom.BB.1
Source: 2.1.19Yrqeedx.exe.500000.0.unpackAvira: Label: TR/Spy.Agent.afe
Source: 2.0.19Yrqeedx.exe.500000.2.unpackAvira: Label: WORM/Mydoom.MA
Source: 8.1.services.exe.400000.0.unpackAvira: Label: TR/Mydoom.BB.1

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Jump to behavior
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,2_2_005052AD
Source: C:\Windows\java.exeCode function: 7_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,7_2_005052AD

Software Vulnerabilities:

barindex
Exploit detected, runtime environment starts unknown processesShow sources
Source: C:\Windows\java.exeProcess created: C:\Users\user\AppData\Local\Temp\services.exeJump to behavior

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.7:49782 -> 15.139.236.20:1034
Source: global trafficTCP traffic: 192.168.2.7:49783 -> 15.42.229.113:1034
Source: global trafficTCP traffic: 192.168.2.7:49788 -> 16.50.1.34:1034
Source: global trafficTCP traffic: 192.168.2.7:49789 -> 217.44.192.139:1034
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 15.139.236.20
Source: unknownTCP traffic detected without corresponding DNS query: 15.139.236.20
Source: unknownTCP traffic detected without corresponding DNS query: 15.139.236.20
Source: unknownTCP traffic detected without corresponding DNS query: 15.42.229.113
Source: unknownTCP traffic detected without corresponding DNS query: 15.42.229.113
Source: unknownTCP traffic detected without corresponding DNS query: 15.42.229.113
Source: unknownTCP traffic detected without corresponding DNS query: 16.50.1.34
Source: unknownTCP traffic detected without corresponding DNS query: 16.50.1.34
Source: unknownTCP traffic detected without corresponding DNS query: 16.50.1.34
Source: unknownTCP traffic detected without corresponding DNS query: 217.44.192.139
Source: unknownTCP traffic detected without corresponding DNS query: 217.44.192.139
Source: unknownTCP traffic detected without corresponding DNS query: 217.44.192.139
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 217.44.192.139 217.44.192.139
Source: Joe Sandbox ViewIP Address: 15.139.236.20 15.139.236.20
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: BT-UK-ASBTnetUKRegionalnetworkGB BT-UK-ASBTnetUKRegionalnetworkGB
Source: Joe Sandbox ViewASN Name: HPES-Hewlett-PackardCompanyUS HPES-Hewlett-PackardCompanyUS
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_00506AB8 select,recv,2_2_00506AB8
Found strings which match to known social media urlsShow sources
Source: 19Yrqeedx.exe, 00000002.00000000.5066908951.0000000000501000.00000040.sdmp, java.exe, 00000007.00000001.5133241200.0000000000501000.00000040.sdmpString found in binary or memory: HLOToFrom%s %sSMTPServerSoftware\Microsoft\%s %s Manager\%ssInternetAccountmx.mail.smtp..logzincite"%s"servicesurlmon.dllURLDownloadToCacheFileAhttp://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.com/web/results?q=%s&kgs=0&kls=0&n=%dhttp://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=&num=%dhttp://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s%s+%s-contact+replymailtoU equals www.yahoo.com (Yahoo)
Source: 19Yrqeedx.exe, 00000002.00000000.5066908951.0000000000501000.00000040.sdmp, java.exe, 00000007.00000001.5133241200.0000000000501000.00000040.sdmpString found in binary or memory: hotmail equals www.hotmail.com (Hotmail)
Source: 19Yrqeedx.exe, java.exeString found in binary or memory: http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab= equals www.yahoo.com (Yahoo)
Source: 19Yrqeedx.exe, 00000002.00000000.5066908951.0000000000501000.00000040.sdmp, java.exe, 00000007.00000001.5133241200.0000000000501000.00000040.sdmpString found in binary or memory: yahoo equals www.yahoo.com (Yahoo)
Source: 19Yrqeedx.exe, java.exeString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)
Urls found in memory or binary dataShow sources
Source: 19Yrqeedx.exe, java.exeString found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s
Source: 19Yrqeedx.exe, 00000002.00000000.5066908951.0000000000501000.00000040.sdmp, java.exe, 00000007.00000001.5133241200.0000000000501000.00000040.sdmpString found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c
Source: 19Yrqeedx.exe, java.exeString found in binary or memory: http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
Source: 19Yrqeedx.exe, java.exeString found in binary or memory: http://www.altavista.com/web/results?q=%s&kgs=0&kls=0
Source: 19Yrqeedx.exe, java.exeString found in binary or memory: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: services.exe, 00000004.00000002.6075949454.0000000000800000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile created: C:\Windows\services.exeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\java.exeMutant created: \Sessions\1\BaseNamedObjects\116938root116938root1116938root116938root11
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4520
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile deleted: C:\Windows\java.exeJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_005077302_2_00507730
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_005011C92_2_005011C9
Source: C:\Windows\java.exeCode function: 7_2_005077307_2_00507730
Source: C:\Windows\java.exeCode function: 7_2_005011C97_2_005011C9
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user~1\AppData\Local\Temp\services.exe BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
Source: Joe Sandbox ViewDropped File: C:\Windows\services.exe BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 920
PE file contains strange resourcesShow sources
Source: 19Yrqeed.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: java.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\services.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\java.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\services.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal88.troj.expl.evad.winEXE@8/14@0/6
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile created: C:\Users\user~1\AppData\Local\Temp\zincite.logJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\19Yrqeedx.exe 'C:\Users\user\Desktop\19Yrqeedx.exe'
Source: unknownProcess created: C:\Windows\services.exe C:\Windows\services.exe
Source: unknownProcess created: C:\Windows\java.exe 'C:\Windows\java.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user~1\AppData\Local\Temp\services.exe
Source: unknownProcess created: C:\Windows\services.exe 'C:\Windows\services.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 920
Source: C:\Users\user\Desktop\19Yrqeedx.exeProcess created: C:\Windows\services.exe C:\Windows\services.exeJump to behavior
Source: C:\Windows\java.exeProcess created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user~1\AppData\Local\Temp\services.exeJump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,2_2_00503620
PE file contains sections with non-standard namesShow sources
Source: services.exe.2.drStatic PE information: section name: UPX2
Source: services.exe.7.drStatic PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_0050A42D push ds; ret 2_2_0050A42E
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_0050DEA6 push ds; ret 2_2_0050DEBE
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_0050A501 push ecx; retf 2_2_0050A53F
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_0050A50F push ecx; retf 2_2_0050A53F
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_00509BA2 push edx; retf 2_2_00509BAB
Source: C:\Windows\services.exeCode function: 4_2_00405A55 push es; iretd 4_2_00405A8E
Source: C:\Windows\services.exeCode function: 4_1_00405A55 push es; iretd 4_1_00405A8E
Source: C:\Windows\java.exeCode function: 7_2_0050A42D push ds; ret 7_2_0050A42E
Source: C:\Windows\java.exeCode function: 7_2_0050DEA6 push ds; ret 7_2_0050DEBE
Source: C:\Windows\java.exeCode function: 7_2_0050A501 push ecx; retf 7_2_0050A53F
Source: C:\Windows\java.exeCode function: 7_2_0050A50F push ecx; retf 7_2_0050A53F
Source: C:\Windows\java.exeCode function: 7_2_00509BA2 push edx; retf 7_2_00509BAB
Source: C:\Users\user\AppData\Local\Temp\services.exeCode function: 8_2_00405A55 push es; iretd 8_2_00405A8E
Source: C:\Windows\services.exeCode function: 9_2_00405A55 push es; iretd 9_2_00405A8E
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops PE files with benign system namesShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile created: C:\Windows\services.exeJump to dropped file
Source: C:\Windows\java.exeFile created: C:\Users\user~1\AppData\Local\Temp\services.exeJump to dropped file
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: unknownExecutable created and started: C:\Windows\java.exe
Source: C:\Users\user\Desktop\19Yrqeedx.exeExecutable created and started: C:\Windows\services.exeJump to behavior
Exploit detected, runtime environment dropped PE fileShow sources
Source: C:\Windows\java.exeFile created: services.exe.7.drJump to dropped file
Drops PE filesShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile created: C:\Windows\java.exeJump to dropped file
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile created: C:\Windows\services.exeJump to dropped file
Source: C:\Windows\java.exeFile created: C:\Users\user~1\AppData\Local\Temp\services.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile created: C:\Windows\java.exeJump to dropped file
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile created: C:\Windows\services.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Creates PE files with a name equal or similiar to existing files in WindowsShow sources
Source: C:\Windows\services.exeFile created: Name: services.exe in C:\Users\user\Desktop\19Yrqeedx.exeJump to dropped file
Source: C:\Users\user~1\AppData\Local\Temp\services.exeFile created: Name: services.exe in C:\Windows\java.exeJump to dropped file
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Jump to behavior
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\19Yrqeedx.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\services.exeWindow / User API: threadDelayed 1388Jump to behavior
Source: C:\Windows\java.exeWindow / User API: threadDelayed 615Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exeWindow / User API: threadDelayed 433Jump to behavior
Source: C:\Windows\services.exeWindow / User API: threadDelayed 425Jump to behavior
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Windows\java.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_7-3537
Source: C:\Users\user\AppData\Local\Temp\services.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_8-947
Source: C:\Windows\services.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-947
Source: C:\Users\user\Desktop\19Yrqeedx.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-3533
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exe TID: 3720Thread sleep time: -79000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\19Yrqeedx.exe TID: 3720Thread sleep count: 58 > 30Jump to behavior
Source: C:\Windows\services.exe TID: 2960Thread sleep count: 1388 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 4432Thread sleep count: 62 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 4432Thread sleep count: 31 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 4432Thread sleep count: 40 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 4432Thread sleep count: 83 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 4432Thread sleep count: 132 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 4432Thread sleep count: 615 > 30Jump to behavior
Source: C:\Windows\java.exe TID: 4432Thread sleep time: -46125s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 5048Thread sleep count: 433 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 5048Thread sleep time: -108250s >= -30000sJump to behavior
Source: C:\Windows\services.exe TID: 1128Thread sleep count: 425 > 30Jump to behavior
Source: C:\Windows\services.exe TID: 1128Thread sleep time: -106250s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeLast function: Thread delayed
Source: C:\Windows\java.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\services.exeLast function: Thread delayed
Source: C:\Windows\services.exeLast function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h2_2_00505717
Source: C:\Windows\java.exeCode function: 7_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h7_2_00505717
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,2_2_005052AD
Source: C:\Windows\java.exeCode function: 7_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,7_2_005052AD
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: services.exe, 00000009.00000002.6097755389.0000000000800000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: services.exe, 00000004.00000002.6076024334.0000000000812000.00000004.sdmp, services.exe, 00000008.00000002.6094162527.0000000000812000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\users_usere_davies_desktop_d0c8b1053f2960bc.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeProcess queried: DebugPortJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,2_2_00503620
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_00504E00 GetProcessHeap,RtlAllocateHeap,CreateFileA,ReadFile,ReadFile,CloseHandle,GetProcessHeap,HeapFree,2_2_00504E00
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeProcess created: C:\Windows\services.exe C:\Windows\services.exeJump to behavior
Source: C:\Windows\java.exeProcess created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user~1\AppData\Local\Temp\services.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 19Yrqeedx.exe, 00000002.00000000.5067555259.0000000000D80000.00000002.sdmp, services.exe, 00000004.00000002.6076469017.0000000000F90000.00000002.sdmp, java.exe, 00000007.00000002.6084115318.0000000000E50000.00000002.sdmp, services.exe, 00000008.00000002.6094409178.0000000000F90000.00000002.sdmp, services.exe, 00000009.00000002.6098067071.0000000000F90000.00000002.sdmpBinary or memory string: Program Managere
Source: 19Yrqeedx.exe, 00000002.00000000.5067555259.0000000000D80000.00000002.sdmp, services.exe, 00000004.00000002.6076469017.0000000000F90000.00000002.sdmp, java.exe, 00000007.00000002.6084115318.0000000000E50000.00000002.sdmp, services.exe, 00000008.00000002.6094409178.0000000000F90000.00000002.sdmp, services.exe, 00000009.00000002.6098067071.0000000000F90000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: 19Yrqeedx.exe, 00000002.00000000.5067555259.0000000000D80000.00000002.sdmp, services.exe, 00000004.00000002.6076469017.0000000000F90000.00000002.sdmp, java.exe, 00000007.00000002.6084115318.0000000000E50000.00000002.sdmp, services.exe, 00000008.00000002.6094409178.0000000000F90000.00000002.sdmp, services.exe, 00000009.00000002.6098067071.0000000000F90000.00000002.sdmpBinary or memory string: Progman
Source: 19Yrqeedx.exe, 00000002.00000000.5067555259.0000000000D80000.00000002.sdmp, services.exe, 00000004.00000002.6076469017.0000000000F90000.00000002.sdmp, java.exe, 00000007.00000002.6084115318.0000000000E50000.00000002.sdmp, services.exe, 00000008.00000002.6094409178.0000000000F90000.00000002.sdmp, services.exe, 00000009.00000002.6098067071.0000000000F90000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,2_2_005032CB
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,2_2_005032CB

Stealing of Sensitive Information:

barindex
Contains functionality to search for IE or Outlook window (often done to steal information)Show sources
Source: C:\Users\user\Desktop\19Yrqeedx.exeCode function: 2_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,2_2_0050311C
Source: C:\Windows\java.exeCode function: 7_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetModuleHandleA,GetProcAddress,7_2_0050311C

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Windows\services.exeCode function: 4_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle,4_2_00401F0E
Source: C:\Windows\services.exeCode function: 4_1_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle,4_1_00401F0E
Source: C:\Users\user\AppData\Local\Temp\services.exeCode function: 8_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle,8_2_00401F0E
Source: C:\Windows\services.exeCode function: 9_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle,9_2_00401F0E

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 102805 Sample: 19Yrqeedx.pif Startdate: 11/01/2019 Architecture: WINDOWS Score: 88 36 Antivirus detection for dropped file 2->36 38 Antivirus detection for submitted file 2->38 40 Multi AV Scanner detection for dropped file 2->40 42 3 other signatures 2->42 6 19Yrqeedx.exe 1 5 2->6         started        10 java.exe 1 2->10         started        12 services.exe 2->12         started        process3 file4 22 C:\Windows\services.exe, PE32 6->22 dropped 24 C:\Windows\java.exe, PE32 6->24 dropped 26 C:\Windows\java.exe:Zone.Identifier, ASCII 6->26 dropped 44 Drops executables to the windows directory (C:\Windows) and starts them 6->44 46 Drops PE files with benign system names 6->46 14 services.exe 1 1 6->14         started        18 WerFault.exe 25 10 6->18         started        28 C:\Users\user~1\AppData\...\services.exe, PE32 10->28 dropped 48 Antivirus detection for dropped file 10->48 50 Exploit detected, runtime environment starts unknown processes 10->50 52 Exploit detected, runtime environment dropped PE file 10->52 20 services.exe 10->20         started        signatures5 process6 dnsIp7 30 15.139.236.20, 1034 HPES-Hewlett-PackardCompanyUS United States 14->30 32 16.50.1.34, 1034 HP-INTERNET-AS-Hewlett-PackardCompanyUS United States 14->32 34 4 other IPs or domains 14->34 54 Antivirus detection for dropped file 14->54 56 Multi AV Scanner detection for dropped file 14->56 signatures8 58 Detected TCP or UDP traffic on non-standard ports 32->58

Simulations

Behavior and APIs

TimeTypeDescription
19:35:29API Interceptor1x Sleep call for process: 19Yrqeedx.exe modified
19:35:31AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run JavaVM C:\Windows\java.exe
19:35:35AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services C:\Windows\services.exe

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
19Yrqeed.exe100%AviraWORM/Mydoom.O.1

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user~1\AppData\Local\Temp\services.exe100%AviraTR/Mydoom.BB.1
C:\Windows\java.exe100%AviraWORM/Mydoom.O.1
C:\Windows\services.exe100%AviraTR/Mydoom.BB.1
C:\Users\user~1\AppData\Local\Temp\services.exe86%virustotalBrowse
C:\Users\user~1\AppData\Local\Temp\services.exe85%metadefenderBrowse
C:\Windows\services.exe86%virustotalBrowse
C:\Windows\services.exe85%metadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLink
2.0.19Yrqeedx.exe.500000.1.unpack100%AviraWORM/Mydoom.MA
4.0.services.exe.400000.2.unpack100%AviraTR/Mydoom.BB.1
2.2.19Yrqeedx.exe.500000.0.unpack100%AviraTR/Spy.Agent.afe
7.2.java.exe.500000.0.unpack100%AviraTR/Spy.Agent.afe
4.0.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1
4.2.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1
4.0.services.exe.400000.1.unpack100%AviraTR/Mydoom.BB.1
4.0.services.exe.400000.3.unpack100%AviraTR/Mydoom.BB.1
8.0.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1
7.1.java.exe.500000.0.unpack100%AviraTR/Spy.Agent.afe
8.0.services.exe.400000.1.unpack100%AviraTR/Mydoom.BB.1
2.0.19Yrqeedx.exe.500000.0.unpack100%AviraWORM/Mydoom.MA
9.1.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1
9.2.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1
8.0.services.exe.400000.3.unpack100%AviraTR/Mydoom.BB.1
4.1.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1
8.2.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1
7.0.java.exe.500000.0.unpack100%AviraWORM/Mydoom.MA
9.0.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1
8.0.services.exe.400000.2.unpack100%AviraTR/Mydoom.BB.1
2.1.19Yrqeedx.exe.500000.0.unpack100%AviraTR/Spy.Agent.afe
2.0.19Yrqeedx.exe.500000.2.unpack100%AviraWORM/Mydoom.MA
8.1.services.exe.400000.0.unpack100%AviraTR/Mydoom.BB.1

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
217.44.192.13933transcrip.exe06764f0325b004a90e082dcc654acf471330894a8d46baf487604d6798a03adcmaliciousBrowse
    6q3aWhXSLKT.exe9eacfdb67d8cc38df3696b327ed5b88060fcada32971d95119280c4dd2699915maliciousBrowse
      10instruction.htm .exe7f198bfaf08cc60c6c54fced895d8cd6fda5dc50d29ea1958aefcd321750397dmaliciousBrowse
        43blgnqvilEA.exe7e8fcbc4b9f37fa9f88a5fdf919cb037f0f5a9be57a719bb6f141fe4f6fc62f0maliciousBrowse
          57kF2WjZwnPS.exe9885edebccc6ce4bff85ec6b86220cb1f0860988d4937910b1d5e299b5a00642maliciousBrowse
            31TEX.exe2c070e5a967c1a2b0d0b5bf19c118f9722854a94e2f34618f2927ececa883e1emaliciousBrowse
              92mail98@vip.son.exe39e99fa0bc1fa6c1f2351a06dd42f80ca2bcb16506db763efe7854d5376a0277maliciousBrowse
                55Ve.exedc626b0f878b43fc7ad75b3632c5c0a21d911768c78cdc69b057e5e9ce379a83maliciousBrowse
                  15messag.execcbfbffb6565ec1f04c9dfbb0fc0291008daa528ea42e70171422dc978091936maliciousBrowse
                    3fil.exee5457db85687f8d5adaaf975c5b49fb2d9bda15cc4c9527a9ac4b25a07466463maliciousBrowse
                      58Lette.exefc26da98246ee0bb9d51d0d4953125a3842221affb3324179b01299f55a3cd42maliciousBrowse
                        34LETTE.exe082e518cb015ae8fe6031e9b80421f438a074a2364559a424f1b7ba7e13c7af0maliciousBrowse
                          25file.exe39342890e0a1a2718417834abcfabf6d366001c257be9acb11189b109a12d93bmaliciousBrowse
                            1mail.txt .exe98fc30ab35ea75286821d426340870b8e30753ad6c68a8b6d3b05ba822b0d958maliciousBrowse
                              29mail98@vip.son.exe550f49d34dee05979e9d6e5e169f68975906024a44b163f4edd54bf662144507maliciousBrowse
                                137UuZlKrJMu.exe31223094dcde113ffb64b9d5b5843843d7c838e6fde0463599a85463fbd3c3b1maliciousBrowse
                                  10attachmen.exe32dc77ac4f9c0d5528fc731c5f2faa4e30d1b2658c9ebe871146b1f02efe7cb2maliciousBrowse
                                    12kostya@mdar.exe7142863af1602db6260314f393d554b9784c70b011758f1eea898bd9c3f80293maliciousBrowse
                                      20attachmen.exe572396bdca62b19561d849acf22c0f59cbe2be59c63e85e33d70fc2e8ac5ab6amaliciousBrowse
                                        52transcrip.exec625fbef7c9bbe85de08059ff71f47ad9c65df883170b86c61847212b4587464maliciousBrowse
                                          15.139.236.206q3aWhXSLKT.exe9eacfdb67d8cc38df3696b327ed5b88060fcada32971d95119280c4dd2699915maliciousBrowse
                                            43blgnqvilEA.exe7e8fcbc4b9f37fa9f88a5fdf919cb037f0f5a9be57a719bb6f141fe4f6fc62f0maliciousBrowse
                                              57kF2WjZwnPS.exe9885edebccc6ce4bff85ec6b86220cb1f0860988d4937910b1d5e299b5a00642maliciousBrowse
                                                31TEX.exe2c070e5a967c1a2b0d0b5bf19c118f9722854a94e2f34618f2927ececa883e1emaliciousBrowse
                                                  92mail98@vip.son.exe39e99fa0bc1fa6c1f2351a06dd42f80ca2bcb16506db763efe7854d5376a0277maliciousBrowse
                                                    55Ve.exedc626b0f878b43fc7ad75b3632c5c0a21d911768c78cdc69b057e5e9ce379a83maliciousBrowse
                                                      3fil.exee5457db85687f8d5adaaf975c5b49fb2d9bda15cc4c9527a9ac4b25a07466463maliciousBrowse
                                                        58Lette.exefc26da98246ee0bb9d51d0d4953125a3842221affb3324179b01299f55a3cd42maliciousBrowse
                                                          34LETTE.exe082e518cb015ae8fe6031e9b80421f438a074a2364559a424f1b7ba7e13c7af0maliciousBrowse
                                                            37solution@siritec.exe5b65349b848c638cc3bb4062043c857bf07e3f72a4c960651b45a191dc7530c2maliciousBrowse
                                                              25file.exe39342890e0a1a2718417834abcfabf6d366001c257be9acb11189b109a12d93bmaliciousBrowse
                                                                1mail.txt .exe98fc30ab35ea75286821d426340870b8e30753ad6c68a8b6d3b05ba822b0d958maliciousBrowse
                                                                  29mail98@vip.son.exe550f49d34dee05979e9d6e5e169f68975906024a44b163f4edd54bf662144507maliciousBrowse
                                                                    46mail.exe50e0e907f84b5bb964b2e1cd754ea043f32aa23396c24242f81e86b324c1972cmaliciousBrowse
                                                                      137UuZlKrJMu.exe31223094dcde113ffb64b9d5b5843843d7c838e6fde0463599a85463fbd3c3b1maliciousBrowse
                                                                        14jess.love@correowe.exe5986b6e814b5ed2d77a35e3cdae35fa827c3568270134314a8cfb92decd7712dmaliciousBrowse
                                                                          10attachmen.exe32dc77ac4f9c0d5528fc731c5f2faa4e30d1b2658c9ebe871146b1f02efe7cb2maliciousBrowse
                                                                            12kostya@mdar.exe7142863af1602db6260314f393d554b9784c70b011758f1eea898bd9c3f80293maliciousBrowse
                                                                              20attachmen.exe572396bdca62b19561d849acf22c0f59cbe2be59c63e85e33d70fc2e8ac5ab6amaliciousBrowse
                                                                                52transcrip.exec625fbef7c9bbe85de08059ff71f47ad9c65df883170b86c61847212b4587464maliciousBrowse

                                                                                  Domains

                                                                                  No context

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  BT-UK-ASBTnetUKRegionalnetworkGB .exe56b8959c7bb723bd73ca6d369ec4330feba9130a7a699078efd7bf45a3b30234maliciousBrowse
                                                                                  • 217.43.191.63
                                                                                  kovter.exe0d0a07d32295b94fd665ac39d4755014a00381c6b06c2b4a6aeffa0344ac956amaliciousBrowse
                                                                                  • 86.179.228.220
                                                                                  33transcrip.exe06764f0325b004a90e082dcc654acf471330894a8d46baf487604d6798a03adcmaliciousBrowse
                                                                                  • 217.44.192.139
                                                                                  .exe79d18b01ea4d9ebedaa9d99ec080e17c8e2b83526b5a44ff7b3e7919bfe971e4maliciousBrowse
                                                                                  • 81.152.168.204
                                                                                  emotet.doc428e69894303b2f44031274dae2a0f1acb3994c096046fe8116a63e5d97c86c6maliciousBrowse
                                                                                  • 217.35.83.153
                                                                                  Paypal.docad95347ab3b7967bf1b2bd9ecb001473a319089fe81800f78f6c68a3841b6c80maliciousBrowse
                                                                                  • 217.35.83.153
                                                                                  53letter.exe9c4271a32145fa75e1eaceebd2e08cd132591977040e3c5a12ddfb83f9e4de87maliciousBrowse
                                                                                  • 194.74.152.105
                                                                                  23d8eyq8bMXu.exe522a3d5cbc99fa92ee419cc13941f48aa2b65b1bd736aa291194f2425bce8141maliciousBrowse
                                                                                  • 217.47.228.40
                                                                                  6q3aWhXSLKT.exe9eacfdb67d8cc38df3696b327ed5b88060fcada32971d95119280c4dd2699915maliciousBrowse
                                                                                  • 217.44.192.139
                                                                                  10instruction.htm .exe7f198bfaf08cc60c6c54fced895d8cd6fda5dc50d29ea1958aefcd321750397dmaliciousBrowse
                                                                                  • 217.44.192.139
                                                                                  .exeb351fb59a7a4ce38108267f97cc2ee9cd3985fdfeef38de26a63df8aa78d1c4amaliciousBrowse
                                                                                  • 81.152.168.204
                                                                                  43blgnqvilEA.exe7e8fcbc4b9f37fa9f88a5fdf919cb037f0f5a9be57a719bb6f141fe4f6fc62f0maliciousBrowse
                                                                                  • 217.44.192.139
                                                                                  http://raminkb.com/wp-admin/3047863JEN/biz/SmallbusinessmaliciousBrowse
                                                                                  • 213.123.182.53
                                                                                  1RE-UIHM-3514601.doce3bb67375a7601fc418efca26b2c8f9fa64584637d9bf63fb7f98facd42e740cmaliciousBrowse
                                                                                  • 213.123.182.53
                                                                                  67Invoice_No_U5204.doc9694ad850a8a10b71d270ff2180dcde2b855dcd8fc036242d23b8619ba2f5b6dmaliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  FILE_510803.doca38ab1a834a39b65c3d754771700400446d078e457b6f79ec94ecbaf5b7376b8maliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  17Untitled-Z9578.doc6233b260250e7f0a3059e245519e0127a5910aed917460cee77c4ef2e1d55d39maliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  1Inv_No_D914934.doc8eb7059a4c644e10dd0ae84fddb9dd7d8a0df3f77903ceed87b6d0c7aa1eae8cmaliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  5Invoice_No_C7460.doc7706b0bf58d629536602bd6f4051fe9d89d207593a89e01180cd656b18265976maliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  19Inv_No_68813.docb88c3808e0a38350c2fb9709808b8bbf04b57cf6b5e70ab7f0e7316f4d7b86dbmaliciousBrowse
                                                                                  • 81.134.0.41
                                                                                  HPES-Hewlett-PackardCompanyUS33transcrip.exe06764f0325b004a90e082dcc654acf471330894a8d46baf487604d6798a03adcmaliciousBrowse
                                                                                  • 15.139.236.74
                                                                                  IT-HELP DESK 03-01-2018.pdff655314b3e138dea47e0b5d129d7f0549f6d31ea93584c6cf9cbf5567f6a22acmaliciousBrowse
                                                                                  • 168.87.137.34
                                                                                  6q3aWhXSLKT.exe9eacfdb67d8cc38df3696b327ed5b88060fcada32971d95119280c4dd2699915maliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  43blgnqvilEA.exe7e8fcbc4b9f37fa9f88a5fdf919cb037f0f5a9be57a719bb6f141fe4f6fc62f0maliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  23I4bYHvc3VP.exe6f870197ea43637b42a9b2951cd5d7e62d5930e2be39ecd84136381ad5291c3bmaliciousBrowse
                                                                                  • 15.139.236.61
                                                                                  57kF2WjZwnPS.exe9885edebccc6ce4bff85ec6b86220cb1f0860988d4937910b1d5e299b5a00642maliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  31TEX.exe2c070e5a967c1a2b0d0b5bf19c118f9722854a94e2f34618f2927ececa883e1emaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  37MESSAG.exe8b786a30bf02d4eea54cd23fdc05621bd6fa1c49aa71b0dd1a08da08b95d2ab7maliciousBrowse
                                                                                  • 15.139.236.74
                                                                                  .exe4e7d44c7cd006ebfea8bbfaff0030e2e8989c72b2326c045565e015dd9749344maliciousBrowse
                                                                                  • 15.139.236.61
                                                                                  92mail98@vip.son.exe39e99fa0bc1fa6c1f2351a06dd42f80ca2bcb16506db763efe7854d5376a0277maliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  9chenlp@cmc.exee9cca2609d12396a75316ac9ad2cbbadbac1b8552f1cf4d46f4cf8f11535555amaliciousBrowse
                                                                                  • 15.139.236.74
                                                                                  55Ve.exedc626b0f878b43fc7ad75b3632c5c0a21d911768c78cdc69b057e5e9ce379a83maliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  3fil.exee5457db85687f8d5adaaf975c5b49fb2d9bda15cc4c9527a9ac4b25a07466463maliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  58Lette.exefc26da98246ee0bb9d51d0d4953125a3842221affb3324179b01299f55a3cd42maliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  34LETTE.exe082e518cb015ae8fe6031e9b80421f438a074a2364559a424f1b7ba7e13c7af0maliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  37solution@siritec.exe5b65349b848c638cc3bb4062043c857bf07e3f72a4c960651b45a191dc7530c2maliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  25file.exe39342890e0a1a2718417834abcfabf6d366001c257be9acb11189b109a12d93bmaliciousBrowse
                                                                                  • 15.139.236.20
                                                                                  57document.exe1df7965af733ebc36b6ec023069bc1f11a8d169bc8e26445cc469f7372df12f3maliciousBrowse
                                                                                  • 15.139.236.61
                                                                                  49zE071J4RlX.exe3312245fe693c6227db52236397d679209c4fec01b7c987a928ccb7abe2dc004maliciousBrowse
                                                                                  • 15.124.232.18
                                                                                  1mail.txt .exe98fc30ab35ea75286821d426340870b8e30753ad6c68a8b6d3b05ba822b0d958maliciousBrowse
                                                                                  • 15.139.236.20

                                                                                  Dropped Files

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  C:\Users\user~1\AppData\Local\Temp\services.exelxy006@qisheng.com1d0ccba6ff8293470ac7855948f9bfed9ad444c7a0a951487c6dbab9276f1976maliciousBrowse
                                                                                    qisheng.come82d346d3eb66cbfb44d09dac90b60f0cc41ace676d576b42a3d8ebd749ba784maliciousBrowse
                                                                                      yu@etfd.coma269444217c3c7d9ee66b27730804b7b253b484327fd2a077a9324954c30a720maliciousBrowse
                                                                                        esun@esunchina.com94efc6bc9f77cb492f5a7a7194fadcd5f9d647e54d443a49b0db7d046ca8aefcmaliciousBrowse
                                                                                          Instruction.scr1d6a5b9dc61690c60d84eee5b653e183ad042cc3a7bcaedcbe6887fb6907810dmaliciousBrowse
                                                                                            insurance@safecompare.com34e0e2a3025e3567f732daf0b64ecf3330ad2832a4aa6c1bf5130f97a0831988maliciousBrowse
                                                                                              document.exe374bb5987f5963821ee3a24c6c3e1d88bc050e748367f4fbf0da723eb8c287e8maliciousBrowse
                                                                                                jll072@qisheng.com864fef76686cb587bbf1ec4c13da3d73f7c85f5269bec2f5a0384512aa613d50maliciousBrowse
                                                                                                  caigou7@zhendongshoes.comde3849fdc6df1699f74c3c0acef9863cfbcb544a96089943089ad1a8f5fff2a7maliciousBrowse
                                                                                                    .exe48e5f246378a925817d143981dbfa11d2a1a0264422136d7bde5a79bc6daaa43maliciousBrowse
                                                                                                      .exe0e690136eddb85b26328d0a5d9c3b83156051b44fef01f0e3fe7d17ebf9bcd5bmaliciousBrowse
                                                                                                        lr039@qisheng.com185e849ae1384dc1880bd7ed97cf9438731641aaac58364d78bbcfad496d8ff4maliciousBrowse
                                                                                                          qisheng.com515b51b2e146031d30bc33cc496ccfe108a0fe612aea19d18dffe8f8d794fbc0maliciousBrowse
                                                                                                            elamrani@smesi.com94df01c17d98705e663b255782ad2e278da5bdb0cf5e666733216ed9b031c75fmaliciousBrowse
                                                                                                              .com4fa1ff0d074ca029cb4c1b5077519c6096c85340522a7341369fcef9a9453366maliciousBrowse
                                                                                                                service_yido@xx0091.maiphone.comc41cbcdabea8b55d61899de512e9afb83d91c11f18d76442f9a711a264304c27maliciousBrowse
                                                                                                                  zhendongshoes.com9a3f686878413d4d37fc60a15312eefcce2f500ccb46dd36ab915b114e9c77b9maliciousBrowse
                                                                                                                    .come1bfba700aa2d61f4a1cb32d10b1a06c9f5b1a2e06425a20abb49aa097d6d336maliciousBrowse
                                                                                                                      .exe03e2389d5e7fc4416da9a249752fe17205c58d62b31eb5fe393d64b6be9af7cemaliciousBrowse
                                                                                                                        yj075@qisheng.com90a71178a3f00ab105608984c4e549c71a7bdc0781e4fd221a116821acdca647maliciousBrowse
                                                                                                                          C:\Windows\services.exelxy006@qisheng.com1d0ccba6ff8293470ac7855948f9bfed9ad444c7a0a951487c6dbab9276f1976maliciousBrowse
                                                                                                                            qisheng.come82d346d3eb66cbfb44d09dac90b60f0cc41ace676d576b42a3d8ebd749ba784maliciousBrowse
                                                                                                                              yu@etfd.coma269444217c3c7d9ee66b27730804b7b253b484327fd2a077a9324954c30a720maliciousBrowse
                                                                                                                                esun@esunchina.com94efc6bc9f77cb492f5a7a7194fadcd5f9d647e54d443a49b0db7d046ca8aefcmaliciousBrowse
                                                                                                                                  Instruction.scr1d6a5b9dc61690c60d84eee5b653e183ad042cc3a7bcaedcbe6887fb6907810dmaliciousBrowse
                                                                                                                                    insurance@safecompare.com34e0e2a3025e3567f732daf0b64ecf3330ad2832a4aa6c1bf5130f97a0831988maliciousBrowse
                                                                                                                                      document.exe374bb5987f5963821ee3a24c6c3e1d88bc050e748367f4fbf0da723eb8c287e8maliciousBrowse
                                                                                                                                        jll072@qisheng.com864fef76686cb587bbf1ec4c13da3d73f7c85f5269bec2f5a0384512aa613d50maliciousBrowse
                                                                                                                                          caigou7@zhendongshoes.comde3849fdc6df1699f74c3c0acef9863cfbcb544a96089943089ad1a8f5fff2a7maliciousBrowse
                                                                                                                                            .exe48e5f246378a925817d143981dbfa11d2a1a0264422136d7bde5a79bc6daaa43maliciousBrowse
                                                                                                                                              .exe0e690136eddb85b26328d0a5d9c3b83156051b44fef01f0e3fe7d17ebf9bcd5bmaliciousBrowse
                                                                                                                                                lr039@qisheng.com185e849ae1384dc1880bd7ed97cf9438731641aaac58364d78bbcfad496d8ff4maliciousBrowse
                                                                                                                                                  qisheng.com515b51b2e146031d30bc33cc496ccfe108a0fe612aea19d18dffe8f8d794fbc0maliciousBrowse
                                                                                                                                                    elamrani@smesi.com94df01c17d98705e663b255782ad2e278da5bdb0cf5e666733216ed9b031c75fmaliciousBrowse
                                                                                                                                                      .com4fa1ff0d074ca029cb4c1b5077519c6096c85340522a7341369fcef9a9453366maliciousBrowse
                                                                                                                                                        service_yido@xx0091.maiphone.comc41cbcdabea8b55d61899de512e9afb83d91c11f18d76442f9a711a264304c27maliciousBrowse
                                                                                                                                                          zhendongshoes.com9a3f686878413d4d37fc60a15312eefcce2f500ccb46dd36ab915b114e9c77b9maliciousBrowse
                                                                                                                                                            .come1bfba700aa2d61f4a1cb32d10b1a06c9f5b1a2e06425a20abb49aa097d6d336maliciousBrowse
                                                                                                                                                              .exe03e2389d5e7fc4416da9a249752fe17205c58d62b31eb5fe393d64b6be9af7cemaliciousBrowse
                                                                                                                                                                yj075@qisheng.com90a71178a3f00ab105608984c4e549c71a7bdc0781e4fd221a116821acdca647maliciousBrowse

                                                                                                                                                                  Screenshots

                                                                                                                                                                  Thumbnails

                                                                                                                                                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.